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Amendments to the Claims 

1 Claim 1 (currently amended): A method of improving intrusion detection in a computing 

2 network, comprising steps of: 

3 defining a plurality of intrusion suspicion levels for use when performing intrusion 

4 detection processing on inbound communications destined for a computing device on the 

5 computing network; 

6 for each of a plurality of potential intrusion events, defining a set of at least one 
1 c onditions which describe the potential intrusion event; 

8 associating one of the defined intrusion suspicion levels with each of the sets of 

9 conditions: 

10 defining a plurality of sensitivity Jeyels for filtering intrusion events when performing t he 

11 intrusion detection processing; and 

12 performing intrusion detection for a particular inbound communication received for the 

13 computing device, further comprising steps of: 

14 determining whether anv of the at least one sets of co nditions aye matched; and 

15 if so, using a currently-applicable one of the defined sensitiv ity levels, in concert 

1 6 wife the defined-intrusion suspicio n level* level associated with the matched condition s, to 

1 7 determine if [[a]] the particular inbound communicati on diaimcd fui tlit computing devils 

1 8 should be treated as an intrusion event. 
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1 Claim 3 (currently amended): The method according to Claim [[2]] 1 wherein the determining 

2 step further comprises comparing current conditions in the computing device tcrpredetemmcd 

3 co nditions which signal a p o ten t ial jjiumiuu the conditio n s defined in at least one of the sets . 

1 Claim 4 (currently amended): The method according to Claim 3, wherein the current conditions 

2 in the computing device comprise contents of the particular inbound cominunication. 

1 Claim 5 (currently amended): The method according to Claim 4, wherein the curreaj conditions 

2 in the computing device further comprise a protocol state of a protocol stack which processes the 

3 particular inbound communication. 

1 Claim 6 (currently amended): The method according to Claim 1, further comprising the step of 

2 taking one or more defensive actiom rwli c a the using step determines upon determining that the 

3 particular inbound communication should be treated as an intrusion event. 

1 Claim 7 (original): The method according to Claim 6, wherein the defensive actions are 

2 determined by consulting intrusion detection policy information. 

1 Claim 8 (currently amended): The method according to Claim ([6]] 7, wherein the intrusion 

2 detection policy information is stored in a network-accessible repository. 

1 Claim 9 (currently amended): The method according to Claim I , wherein th e using step f urth er 
Serial No. 10/058,689 -3- RSW92002001 1US1 
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2 c omprises euuipariflg the p articular inbound c ommunication to jgfm gd at lqagt one set . of 

3 conditions represents one or more attack signatures, 

1 Claim 10 (original): The method according to Claim 9, wherein at least one of the attack 

2 signatures is a class signature representing a class of attacks. 

1 Claim 1 1 (currently amended): The method according to Claim [[9]] 1, wherein gash-Sf the at 

2 least one set of conditions is attack signa t ures are s pecified a s condi t i o ns as a conditio* part in an 

3 intrusion detection [[rules]] rule, and wherein each of the intrusion detection rules further 

4 specifies at least one action c o mprises o ne o r more acti o ns that art to be taken upon detenijii ning 

5 wh e n the using step determines t hat the particular inbound communication should be treated as 

6 an intrusion event. 

1 Claim 12 (currently amended): The method according to Claim 1, wherein the perfpi?pinft 

2 [[using]] step operates in the computing device for which the particular inbound communication 

3 is destined. 

1 Claim 13 (currently amended): The method according to Claim 12, wherein the performing 

2 [[using]] step operates within layer-specific intrusion detection logic executing in a protocol 

3 stack running on the computing device. 

1 Claim 14 (currently amended): The method according to Claim 1, wherein the performing 

Serial No. 10/058,689 -4- RSW920020011US1 
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2 [[using]] step operates in a network device which analyzes communications directed to the 

3 computing device for which the particular inbound communication is destined. 

1 Claim 15 (currently amended): The method according to Claim 1, further comprising Alcps o f: 

2 f or e ach of a plmality of puluilial intrusion e vents,, dLfiuUig a set uf ouc o r more 

3 conditi o ns which describe the p o tential in tr usion ev e nt; 

4 — associating a sensitiv i ty level wth each of the sets of conditions; and 

5 dttemiii ' ung a suspici on level of the particula r inbound tommuAueation; 

6 wherein the using step further comprises consulting a stored mapping between each of the 

7 defined sensitivity levels and each_of the defined intrusion suspicion le vels, using the currently- 

8 a pplicable one of the defined sensitivity levels and the intrusion suspicion level associated with 

9 the matched conditions, to detemrine if determines th at-the particular inbound communication 

1 0 should be treated as an intrusion eve nt wh e n conditi o ns pa lathing to the parti c ular inb o und 

11 communication match a selected o n e of the sets uf conditions and the determined suspicion level 

12 maps to the sensitivi t y lev e l associated with the sele c ted set of conditions . 

Claims 16 - 21 (canceled) 

1 Claim 22 (currendy amended): A system for improving intrusion detection in a computing 

2 network, comprising: 

3 means fo r d e fining a plurality of intrusion suspicion levels defined for usejwhen 

4 performing intrusion detection processing on inbound communications destined for a computing 

Serial No. 1 0/058,689 -5- RSW92002001 1US1 
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5 device on the computing network; 

6 for each of a plurality of potential intrusion events a defined set of at least one coaditipns 

7 which describe the potential intrusion event; 

8 means for associating one of the defined intrusion suspicion levels with each Qf the 

9 defined sets . q f conditions; 

10 a plurality of sensitivity levels defined_for filtering int rusion events when performing the 

11 intrusion detection processing; and 

12 mftflng for performing intrusion detection for a particular inbound c ^mmiir»iyttir>n 

13 received for the computing device, further conrorisme: 

14 means for determining whether any of the at least one defined sets of conditions 

15 are matched: and 

16 if so, means for using a currentlv-applicabIe_Qoe_o f the defined sensitivity levels. 

1 7 in concert with th e defined intrusion suspicioirteveis level associate d with the matched 

1 8 condttionsL to determine if [[a]] lbs particular inbound communication destined for the 

1 9 computing device should be treated as an intrusion event. 

Claim 23 (canceled) 

1 Claim 24 (currently amended): The system according to Claim [[23]] 22, wherein the means for 

2 determining further comprises means for comparing current conditions in the computing device 

3 t o pr e deter mi ned conditions whi&h signal a poten t ial int r usion the conditions defi n ed in at least 

4 one of the sets . 

Serial No. 10/058,689 -6- RSW92002001 1US 1 
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1 Claim 25 (cunendy amended); The system according to Claim 22, farther comprising means for 

2 taking one or more defensive action s when th e means for using determines upon detgnflining that 

3 the particular inbound communication should be treated as an intrusion event, wherein the 

4 defensive actions are determined by consulting intrusion detection policy information. 

1 Claim 26 (currently amended): The system according to Claim 22, wherein each.of the-nrcans 

2 for using farther comp r ises means for comparing the particular inb o und communication t o at 

3 least one set of conditions is on e oi moie atta c k signatures; wher e i n t he a t tack sig n a t ures a r e 

4 specified a s conditi o ns a condition part in an intrusion detection-rules rule, and wherein each of 

5 the intrusion detection rules further comp r ises specifies at least one action vat or mor e acti o ns 

6 tha t are to be taken upon determining wh en the means for using determines that the particular 

7 inbound communication should be treated as an intrusion event. 

1 Claim 27 (currently amended): The system according to Claim 22> fu r ther eomprising: 

2 for each of a p lu r al it y of potential intrusi o n events, means for defining a set of o ne or 

3 more conditi o ns which d e scribe t he potential intrusion event; 

4 means for associating a s en sitivity level with each o f the sets of condi t ions; and 

5 means for dtjteinjuuiung a suspicion level of ti r e particular inbound communicati o n; 

6 — wherein the means for using farther comprises means for consulting a stored mapping 

7 between each of the defined sensitivity levels and each of the defined intrusion su spicion levels. 
9 using the currently-applicable one of the defined sensitivity lev els and the intrusion suspicion 

Serial No. 1 0/058,689 -7- RSW92002001 IUS1 
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9 tevel associated with the matched conditio ns, to determine if deteiniinu, that the particular 

10 inbound communication should be treated as an intrusion event when LuiidiUuJi& puUhuug to the 

11 pjuiimlai bubuuml c o mmunication match a selected uue of the &eU uf cond itions and the 

12 detci mined suspicion level maps to t he &emitivi t y lev e l asmuated w i th Iki selected set of 

13 conditi o ns . 

Claims 28 - 3 1 (canceled) 

1 Claim 32 (currently amended): A computer program product for improving intrusion detection 

2 in a computing network, the computer program product embodied on one or more computer- 

3 readable media and comprising: 

4 computer-readable program cod e - m e ans F o r defining a plurality of intrusion suspicion 

5 levels for use when performing intrusion detection processing on inbound communications 

6 destined for a computing device on the computing network; 

7 for each of a plurality of potential intrusion events, computer-readabl e program code 

8 defining a set of at least one conditions which desc ribe the potential intrusion event; 

9 computer-readable_program code associating one of the defined intrusio n suspicion levels 

10 with each of the sets of conditions; 

11 computer-readable program code defining a plurality of sensitivity levels fo r filtering 

12 intrusion events when perfbrming the intrusion detection p rocessing: and 

13 computer-readable program code for performing intrusion detectio n for a particular 

14 inbound co Twtminirjttf oa received for the computing d evice, further comprising: 

Serial No. 10/058,689 -8- RSW920020011US1 
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15 computer-readable program code for determining wh ether anv of the at least erne 

16 sets of conditions are matched: and 

1 7 if so., computer-readable program code [[means]] for using a currently-applicable 

1 8 one of the defined sensitivity levels, m concert with th e d e fined intrusion suspicioirtevds level 

1 9 associated with the matched conditions, to determine if [[a]] the particular inbound 

2 0 communicatio n dc&liiicd fo r the computing deviee should be treated as an intrusion event. 

Claim 33 (canceled) 

1 Claim 34 (currently amended): The computer program product according to Claim [[33]] 32, 

2 wherein the computer-readable program code [[means]] for determining further comprises 

3 computer-readable program code [[means]] for comparing current conditions in the computing 

4 device to- predc tt flroped cuuditiuiiA which signal a poten t ial intrusion the conditi ons defined in at 

5 least one of the sets, the current conditions in the computing device comprising contents of the 

6 particular inbound communtcation. 

1 Claim 35 (currently amended): The computer program product according to Claim [[33}] 32, 

2 wherein the computer-readable program code [[means]] for determining further comprises 

3 computer-readable program code [[means]] for comparing current conditions in the computing 

4 device t o predetermined condit i ons which signal a po tential intrusion the conditi ons defined in at 

5 least one of the sets, the current conditions in the computing device comprising contents of the 

6 particular inbound communication and a protocol state of a protocol stack which processes the 

Serial No. 10/058,689 -9- RSW920020011US1 
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7 particular inbound communication. 

1 Claim 36 (currently amended): The computer program product according to Claim 32, further 

2 comprising computer-readable program code [[means]] for taking one or more defensive actions 

3 upon determining witeu the c omputer-readable program code means for using determines t hat the 

4 particular inbound communication should be treated as an intrusion event, wherein the defensive 

5 actions are determined by consulting intrusion detection policy information stored in a policy 

6 repository. 

1 Claim 37 (currently amended): The computer program product according to Claim [[!]] 32, 

2 wherein th e computer- r eadable program code means for using further comp rises computer* 

3 r e adable program cod e means for comparing the par ti cula r inbound communica tio n t o earned at 

4 least one set of conditions represents one or more attack signatures, wherein at least one of the 

5 attack signatures is a class signature representing a class of attacks. 

1 Claim 38 (currently amended): The computer program product according to Claim 32, wherein 

2 the computer-readable program code [[means]] for [[using]] performing operates in the 

3 computing device for which the particular inbound communication is destined. 

1 Claim 39 (currently amended): The computer program product according to Claim 32, wherein 

2 the computer-readable program code [[means]] for [[using]] performing operates in a network 

3 device which analyzes communications directed to the computing device for which the particular 

Serial No. 10/058,689 -10- RSW92002001 1US1 
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4 inbound communication is destined. 

1 Claim 40 (currently amended): The computer program product according to Claim 32, farther 

2 com p rising : 

3 ujmputer"readablc program code m e ans foi specify iiig, for taili of a plurality o f potent i al 

4 in t rusion e v e nts, a set of one o r more conditions which de^iibe the potential int r usion event; 

5 compu t efreaddble piufeiam code means for associating a semiUvity level with each o f the 

6 sets o f conditions; and 

7 compu t er-readable progiam code means for determining a sus p icion level o f the 

8 particular inbotmd communica ti on ; 

9 wherein the computer-readable program code [[means]] for using further comprise^ 

10 computer-readable code for consulting a stored mapping between eac h of the defined sensitivity 

11 levels and each of the defined intrusion suspicion levels , using the currentlv-applicabie one of the 

12 definedsensitivity levels and the intrusion suspicion level associated with the mateheii 

1 3 conditions^ to determine if determines that th e particular inbound communication should be 

1 4 treated as aw intrusion even t when conditi o ns p e rtaining to the particular inbound conumuiicati o n 

15 match a sel e cted one of the sets of conditions and the d e termined suspicion lev e l ma ps t o th e 

16 se u s itivily level associat e d with the selected s et of c o nditions . 

Claims 41- 44 (canceled) 

1 Claim 45 (new): The method according to Claim 6, wherein the defensive actions are specified 
Serial No. 10/058,689 -1 1- RSW92002001 1US 1 
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2 as actions in a rule in which the matched conditions are specified, 

1 Claim 46 (new): The method according to Claim 6, wherein at least one of the defensive actions 

2 comprises discarding the particular inbound communication, 

1 Claim 47 (new): The method according to Claim 6, wherein at least one of the defensive actions 

2 comprises limiting at least one of resources or traffic associated with a connection on which the 

3 particular inbound communication is received. 

1 Claim 48 (new): The method according to Claim 6, wherein at least one of the defensive actions 

2 comprises dynamically dropping a deny filter into the computing network to shun subsequent 

3 traffic. 

1 Claim 49 (new): The method according to Claim 6 S wherein at least one of the defensive actions 

2 comprises reporting the intrusion event to one or more entities. 

1 Claim 50 (new): The method according to Claim 49, wherein reporting the intrusion event to 

2 one or more entities further comprises sending an alert to a management component external 

3 from the computing device for which the particular inbound communication is destined. 

1 Claim 5 1 (new): The method according to Claim 49, wherein reporting the intrusion event to 

2 one or more entities further comprises writing at least one event record to at least one of a system 

Serial No. 1 0/058,689 -12- RSW92002001 1US1 
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3 log and a console. 

1 Claim 52 (new): The method according to Claim 49, wherein reporting the intrusion event to 

2 one or more entities further comprises recording inbound communications associated with the 

3 intorusi on event in at least one of a trace or other repository. 

1 Claim 53 (new): The method according to Claim 49, wherein reporting the intrusion event to 

2 one or more entities further comprises writing statistics records on normal behavior to establish 

3 baselines as to what constitutes abnormal behavior for the inbound communications. 

1 Claim 54 (new): The method according to Claim 1, wherein at least one of the defined sets of 

2 conditions specifies a current system state of the computing device. 

1 Claim 55 (new): The method according to Claim 1 , wherein at least one of the defined sets of 

2 conditions specifies at least one threshold reached at the computing device. 

1 Claim 56 (new) : The method according to Claim i, wherein at least one of the defined sets of 

2 conditions specifies at least one state transition to be caused, at the computing device, upon 

3 receiving the particular inbound communication. 

1 Claim 57 (new): The method according to Claim 1, wherein the currently-applicable sensitivity 

2 level is specified, for the computing device, by a systems administrator. 

Serial No. 10/058,689 -13- RSW9200200J 1US1 
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1 Claim 58 (new): The method according to Claim 1, wherein the currenthy-apphcable sensitivity 

2 level is specified, for the computing device, by configuration data in a stored repository. 
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